Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Jamf Protect - Alerts

Back
Id6098daa0-f05e-44d5-b5a0-913e63ba3179
RulenameJamf Protect - Alerts
DescriptionCreates an incident based on Jamf Protect Alert data in Microsoft Sentinel
SeverityHigh
Required data connectorsJamfProtect
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml
Version1.0.6
Arm template6098daa0-f05e-44d5-b5a0-913e63ba3179.json
Deploy To Azure
jamfprotectalerts_CL
| extend
    algorithm = "SHA256",
    Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
    Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
    Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
    Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
    JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")
severity: High
relevantTechniques: 
requiredDataConnectors:
- dataTypes:
  - jamfprotectalerts_CL
  connectorId: JamfProtect
status: Available
description: |
    'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'
alertDetailsOverride:
  alertDescriptionFormat: '{{EventResultMessage}} - Please investigate'
  alertTacticsColumnName: Tactics
  alertDynamicProperties:
  - alertProperty: ProviderName
    value: EventVendor
  - alertProperty: ProductName
    value: EventProduct
  - alertProperty: Techniques
    value: Techniques
  alertSeverityColumnName: EventSeverity
  alertDisplayNameFormat: '{{EventMessage}} detected on {{DvcHostname}}'
name: Jamf Protect - Alerts
customDetails:
  TargetBinarySignMsg: TargetBinarySigningInfoMessage
  JamfPro_Status: JamfPro
  Protect_Tags: Tags
  Related_Binaries: TargetBinaryFilePath
  TargetBinarySigner: TargetBinarySigningTeamID
  Protect_Analytic: EventMessage
  Protect_Event_Type: EventType
  Related_File_hash: TargetBinarySHA256
  TargetbinarySign: TargetbinarySignerType
entityMappings:
- entityType: Host
  fieldMappings:
  - columnName: DvcHostname
    identifier: HostName
  - columnName: DvcOs
    identifier: OSFamily
  - columnName: DvcOsVersion
    identifier: OSVersion
- entityType: IP
  fieldMappings:
  - columnName: Host_IPs
    identifier: Address
- entityType: Process
  fieldMappings:
  - columnName: TargetProcessCurrentDirectory
    identifier: CommandLine
  - columnName: TargetProcessId
    identifier: ProcessId
- entityType: FileHash
  fieldMappings:
  - columnName: algorithm
    identifier: Algorithm
  - columnName: TargetBinarySHA256
    identifier: Value
version: 1.0.6
kind: NRT
query: |
  jamfprotectalerts_CL
  | extend
      algorithm = "SHA256",
      Host_IPs = tostring(parse_json(DvcIpAddr)[0]),
      Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),
      Tactics = case(input.match.tags has "Execution", "Execution", input.match.tags has "Visibility", "Visibility", input.match.tags has "Persistence", "Persistence", input.match.tags has "LateralMovement", "LateralMovement", input.match.tags has "CredentialAccess", "CredentialAcccess", input.match.tags has "DefenseEvasion", "DefenseEvasion", input.match.tags has "PrivilegeEscalation", "PrivilegeEscalation", input.match.tags has "Impact", "Impact", input.match.tags has "CommandAndControl", "CommandandControl", input.match.tags has "Discovery", "Discovery", input.match.tags has "InitialAccess", "InitialAccess", ""),
      Techniques = pack_array(extract(@"[A-Za-z]\d{4}", 0, tostring(input.match.tags))),
      JamfPro = case(input.match.actions has "SmartGroup", "Workflow with Jamf Pro", input.match.actions has "Prevented", "No workflow, Prevented by Protect", "No workflow")  
suppressionDuration: PT5H
tactics: 
incidentConfiguration:
  groupingConfiguration:
    matchingMethod: AllEntities
    enabled: false
    lookbackDuration: PT5H
    reopenClosedIncident: false
  createIncident: true
suppressionEnabled: false
eventGroupingSettings:
  aggregationKind: AlertPerResult
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml
id: 6098daa0-f05e-44d5-b5a0-913e63ba3179
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/6098daa0-f05e-44d5-b5a0-913e63ba3179')]",
      "kind": "NRT",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/6098daa0-f05e-44d5-b5a0-913e63ba3179')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "{{EventResultMessage}} - Please investigate",
          "alertDisplayNameFormat": "{{EventMessage}} detected on {{DvcHostname}}",
          "alertDynamicProperties": [
            {
              "alertProperty": "ProviderName",
              "value": "EventVendor"
            },
            {
              "alertProperty": "ProductName",
              "value": "EventProduct"
            },
            {
              "alertProperty": "Techniques",
              "value": "Techniques"
            }
          ],
          "alertSeverityColumnName": "EventSeverity",
          "alertTacticsColumnName": "Tactics"
        },
        "alertRuleTemplateName": "6098daa0-f05e-44d5-b5a0-913e63ba3179",
        "customDetails": {
          "JamfPro_Status": "JamfPro",
          "Protect_Analytic": "EventMessage",
          "Protect_Event_Type": "EventType",
          "Protect_Tags": "Tags",
          "Related_Binaries": "TargetBinaryFilePath",
          "Related_File_hash": "TargetBinarySHA256",
          "TargetbinarySign": "TargetbinarySignerType",
          "TargetBinarySigner": "TargetBinarySigningTeamID",
          "TargetBinarySignMsg": "TargetBinarySigningInfoMessage"
        },
        "description": "'Creates an incident based on Jamf Protect Alert data in Microsoft Sentinel'\n",
        "displayName": "Jamf Protect - Alerts",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Host",
            "fieldMappings": [
              {
                "columnName": "DvcHostname",
                "identifier": "HostName"
              },
              {
                "columnName": "DvcOs",
                "identifier": "OSFamily"
              },
              {
                "columnName": "DvcOsVersion",
                "identifier": "OSVersion"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "Host_IPs",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "Process",
            "fieldMappings": [
              {
                "columnName": "TargetProcessCurrentDirectory",
                "identifier": "CommandLine"
              },
              {
                "columnName": "TargetProcessId",
                "identifier": "ProcessId"
              }
            ]
          },
          {
            "entityType": "FileHash",
            "fieldMappings": [
              {
                "columnName": "algorithm",
                "identifier": "Algorithm"
              },
              {
                "columnName": "TargetBinarySHA256",
                "identifier": "Value"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": false,
            "lookbackDuration": "PT5H",
            "matchingMethod": "AllEntities",
            "reopenClosedIncident": false
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Jamf Protect/Analytic Rules/JamfProtectAlerts.yaml",
        "query": "jamfprotectalerts_CL\n| extend\n    algorithm = \"SHA256\",\n    Host_IPs = tostring(parse_json(DvcIpAddr)[0]),\n    Tags = parse_json(tostring(parse_json(tostring(input.match)).tags)),\n    Tactics = case(input.match.tags has \"Execution\", \"Execution\", input.match.tags has \"Visibility\", \"Visibility\", input.match.tags has \"Persistence\", \"Persistence\", input.match.tags has \"LateralMovement\", \"LateralMovement\", input.match.tags has \"CredentialAccess\", \"CredentialAcccess\", input.match.tags has \"DefenseEvasion\", \"DefenseEvasion\", input.match.tags has \"PrivilegeEscalation\", \"PrivilegeEscalation\", input.match.tags has \"Impact\", \"Impact\", input.match.tags has \"CommandAndControl\", \"CommandandControl\", input.match.tags has \"Discovery\", \"Discovery\", input.match.tags has \"InitialAccess\", \"InitialAccess\", \"\"),\n    Techniques = pack_array(extract(@\"[A-Za-z]\\d{4}\", 0, tostring(input.match.tags))),\n    JamfPro = case(input.match.actions has \"SmartGroup\", \"Workflow with Jamf Pro\", input.match.actions has \"Prevented\", \"No workflow, Prevented by Protect\", \"No workflow\")\n",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT5H",
        "suppressionEnabled": false,
        "tactics": null,
        "techniques": null,
        "templateVersion": "1.0.6"
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}